Last edit: 22/08/2023
Annex A of IEC 62061 gives a method to estimate the required SIL or Safety Integrity Level, of a Safety-related Control System. The method fits well to high demand mode of operations and it is not recommended for Safety Functions in low demand mode, where other methods like the LOPA (layer of Protection Analysis) [71] can be used.
Also in IEC 62061 Annex A is informative and exactly the same considerations about subjectivity, as described in the previous paragraph, apply.
Risk elements and SIL assignment
The following parameters apply:
- Severity of harm (Se), equivalent to the Severity of Injury of ISO 13849-1
- Probability of occurrence of that harm, which is a function of:
- Frequency and duration of the exposure of persons to the hazard (Fr)
- probability of occurrence of a hazardous event (Pr)
- possibilities to avoid or limit the harm (Av)
The severity of harm (Se) is given a score from 1 to 4, with 4 being the most severe.
The probability of harm occurring is broken down into three parameters; each of these parameters is scored from 1 to 5, with 5 being the “worst” situation and their scores are added to determine a class (Cl).
The SIL rating is then chosen from a matrix that plots the severity score (Se) and the class (Cl). The SIL is determined using table 4.6 {4.8.1.1}. The class (Cl) is calculated as follows Cl = Fr + Pr + Av.
The black area indicates the SIL assigned as the target for the SCS. The lighter shaded areas indicate that a safety function with value less than SIL 1 can be used. That is the equivalent of a PLr a according to ISO 13849-1. In case a control system is used to reduce the risk, only Basic Safety Principle should be used. The concept is also called “Other Measures” (OM).
Compared to the first edition of IEC 62061, SIL 2 at Class 3 and 4 is now reduced to SIL 1, because of the low score for the classes of Frequency, Probability and Avoiding Harm.
As indicated in table 4.4, there is a relationship between SIL and PL. Moreover, a machinery engineer can use Annex A from IEC 62061 for the determination of the required PLr and use ISO 13849-1 for the calculations of the reached reliability. That is the reason why, in table 4.6 {4.8.1.1} (same as table A.6 of IEC 62061), both SIL and PL levels are indicated.
Severity (Se)
Similarly to ISO 13849-1, the severity of harm can be estimated by choosing the appropriate value based upon the consequences of the accident. This time four levels are given, similar to the Rapex guidelines
- 4 is a fatal or significant irreversible injury: limb loss, permanent lung damage, loss of an eye or partial or total loss of vision;
- 3 is a serious or irreversible injury, but it is possible to continue work after healing; examples are loss of fingers or toes, but also broken limbs.
- 2 is a more serious reversible injury that requires medical attention. It is possible to resume work after a short period of time, e.g. serious lacerations, excruciating and severe bruising;
- 1 is a slight injury in which first aid care without medical intervention is sufficient.
Compared to ISO 13849-1, a score of 3 or 4 corresponds to S2 and a score of 1 or 2 corresponds to S1
Probability of occurrence of harm
Each of the three parameters Fr, Pr, Av must be estimated separately, using the most unfavourable situation.
Frequency and duration of exposure (Fr)
The parameter Fr is linked to:
- the frequency of presence of the person in the hazardous area and
- the average duration of presence.
The standard gives the frequency and duration of exposure classification in five levels:
As shown in the table, if the duration is less than 10 min, the value can be rounded down to the next level. This does not apply to the frequency of exposure of 1 h, which should not be decreased in any case.
Probability of occurrence of a hazardous event (Pr)
This parameter is not explicit in ISO 13849-1.
The probability of occurrence of a hazardous event is in a scale between 1, for negligible probability, and 5, in case of very high probability.
This is probably the most difficult parameter to estimate, because of the influence of Automation, or Control system, that has no Reliability data.
Let’s consider the presence of both a person and a Robot inside a safeguarded space. In order to determine the required SIL, the question is what is the probability the person can be hit by the robot, in case of an unexpected start up; of course, with no Safety-related control system.
Someone may observe that, even without a safety system, the Automation keeps the robot still: the probability would then be Rarely or Negligible. The issue is that the Automation system has no Reliability data and, for a conservative approach, it cannot be relied upon in this analysis. If the person remains close to the Robot all the time, while he is inside the area, the probability of occurrence would then be Very high. The considerations should than be where the person is normally working and the fact that, in case of an unexpected start up, the person may be in the robot Operating Space. The narrower is the operating space, the higher is the probability.
Probability of avoiding or limiting the harm (Av)
This parameter describes whether or not harm could be avoided or limited in case of a hazardous event.
The possibility can be estimated by considering the following aspects:
- Skills of the machine user.
- Speed of the hazard.
- Risk awareness.
- Ability to react.
Regarding the skills and abilities, the standard clarifies that human abilities cannot be accounted more than once for each safety function. There are three levels for Av.
Example of the table use
Still considering a manually loaded press, the consequence of the dangerous event is an irreversible injury, with possible loss of a hand: Se= 4.
All other parameters must be added together in order to select the class.
– An operator is exposed to hazard several times a day àFr= 5
– the hazardous event may occur àPr = 3
– The danger can be avoided àAv = 3
The sum of Fr, Pr and Av (5 + 3 + 3) = 11
A level of SIL 3 must be achieved by the Safety-related control system
Document [55], is a good analysis of the differences between ISO 13849-1 and IEC 62061 for the determination of the required Reliability level.